(02-03-2016, 04:38 PM)dorothy.pipet Wrote: Another attempt for comments please
Done open book, untimed.
Part a)
Item 1- worth specifying the extent of the affected area (i.e. in the case of ETCS L3 solution: one base station affecting say 1km radius or a loss of comms between interlocking and RBC or between the RBC and many base stations which would each affect a much wider area).
Item 2- ok but it might have been better for giving a more wide-ranging context later to have been more fundamental since if it is only the loss of the cab display the train would still be reporting its position etc to the interlocking).
Item 3 - ok, but not an obvious one for the scope of the question. However I thought that it was going to turn out to be very clever and that you'd have drawn upon this scenario further on in your answer and identified that a fall-back system would also have depended upon this same input and therefore this was a common mode type failure for the primary and fallback. However you didn't seize this opportunity and therefore it just looks like you couldn't think of a third that was more closely related to the cab signaling system.
As the examiners say, always think of the question as a whole as well as each separate part.
I certainly think that you could have constructed a good answer with this as one of the failure events; otherwise I'd have presented the failures as:
a) non-communicating train,
b) loss of comms affecting a small area,
c) loss of the office end of the system affecting a very large area.
Part b)
2nd bullet; probably ought to have broken this down a bit more at least into the on-board and the line side subsystem. This relates also to bullet 3 because the key thing about recovery from such a failure is not the repair of the fault but rather the time taken to get the defective train to a place where the passengers can be disembarked and clear of the line to enable the remainder of the service to resume; quite how long the casualty languishes there before being recovered to a depot where fault rectification can be undertaken is not the immediate issue. Worthwhile distinguishing this from the scenario in which there is a line side fault which affects all trains and for which the MTTR is directly relevant.
The thing, given that this is Module 1 after all, that you really should have mentioned was SAFETY. A bit of a black mark that despite your sizeable list you didn’t appear to factor this in your assessment at all- tut tut!
Don’t forget that the question was very specific in emphasising that there is no requirement for line side infrastructure in normal operation. Hence in many failure scenarios the signaller has no idea where all the trains are (and possibly not even how many there are in the area which is no longer under control). Hence is faced with a difficult situation to manage which clearly has safety implications.
Otherwise I think you had enough in this section but something that I would have included is the additional complexity in system architecture and indeed potential hazards introduced when changing over from one mode of operation to another. Of course these must be offset against the risks of the purely procedural degraded working that would have to be adopted in the event of a failure of the system if there were no equipment provided for a fall-back mode of operation.
Part c)
I think I would interpret “HOW” as meaning:
- "to what safety integrity level",
- "to what level of functionality should be incorporated?”,
- “is it just for the junction areas or a substitute signalling system for the entire line”?,
- “how free-standing from the new signalling system? (i.e.of your items in part a does it attempt to give a degraded solution for 1,2 and 3 or only some of these?) and if there is some dependency between them is it the bedrock on which the in-cab system is overlaid or alternatively does it rely on any elements of the main signalling system (the conventional point detection, object controller and central interlocking perhaps)?
The last part of your answer did touch on one such consideration, but as you identified yourself I don’t think you “hit the nail on the head” for this portion. One might argue that established procedures and standards are of some value for the detail of presentation but in terms of what is the content of the required design are basically pretty standard although you could have referred to the NR POSA (of which there are only a few real examples). You did mention Human Factors which would be one component, but I think you should have presented your answer in terms of:
- Defining the high level objectives (as my bullets above seek to scope)
- Obtaining a more precise set of requirements.
- Validating these from the many perspectives (which would include HF but far wider), Concept of Operations, “Day in the Life of...”HAZOP, HAZID, FTA, FMECA etc. to satisfy that the fall-back system to be provided is addressing the right problem.
- Further that the associated hazards have been assessed and influence the design solution; follow CSM-RA and manage the Hazard Record.
- Estimate the benefits of the proposed solution both in terms of risk reduction and its costs. It may be found necessary to provide the fall-back just on ALARP grounds, but it is more likely that most of the financial justification will depend upon the items you listed in part b, particularly the first.
Part d)
- firstly it isn’t going to be palatable to cause significant disruption and indeed safety risk in a premeditated manner often enough to maintain enough familiarity amongst the significant number of drivers and signaller’s involved just to reduce risk for the pretty rare occasion when it would be needed in anger. The effect might be a small reduction of risk and disruption involved should a real random fault occur but at too high a price. Just how often would you need knowingly to place system in an unsatisfactory state to get the required coverage of staff and refresh that knowledge sufficiently? I suggest it is not practicable and arguably not morally acceptable; it would be like choosing to push a few passengers down stairs at stations occasionally in order to check how efficiently the station staff could render first aid, deal with the disruptions and ensure that the emergency services and hospital doctors could attend to their injuries effectively! It is not like operating a lineside signalled railway in override through routes that actually, if timed when no unsupported moves are to be made, causes little disruption if the office end of the system affecting a very large area.
- Secondly some of the failure modes may not be easy to create operationally; don’t really want drivers deliberately creating faults on their trains for example.
Suggest instead that simulation of the degraded mode fallback system should be included within both the signaller’s and driver’s simulators both prior to implementation and to maintain competence throughout lifecycle. Otherwise all your suggestions are sensible provisions, but think you should have explicitly referred to condition monitoring and fault reporting rather than just saying “close monitoring” that is a little vague.
Part e)
Study of the failure modes of the primary signalling system does need to be based initially on the system as it would be without any fall-back and then secondly revisited to see whether the provision of a fall-back signalling system is likely to introduce any other failure modes of the primary system.
Also explicitly consider any possible “common cause failure” that might affect both the primary and the fall-back, since the two failure rates may not be completely independent.
Do separate out-
- the justification for spending mony to reduce the risk to be ALARP,
- the choice to invest money in order to reduce the other financial / reputational risks.
Overall though I thought that this was a pretty good answer and I think that it would have achieved a Credit
PJW